jan/openreplay
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore(helm): Toolings as a separate chart

Browse source
This commit is contained in:
rjshrjndrn 2023-01-24 15:52:55 +01:00
parent c5828afaf3
commit bb3386835f
24 changed files with 15709 additions and 847 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
scripts/helmcharts/toolings/Chart.yaml
View file

@ -1,5 +1,5 @@
apiVersion: v2
name: utilties
name: tooling
description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.

2
scripts/helmcharts/toolings/charts/kyverno/.helmignore Normal file
View file

@ -0,0 +1,2 @@
ci/
README.md.gotmpl

30
scripts/helmcharts/toolings/charts/kyverno/Chart.yaml
View file

@ -1,14 +1,38 @@
annotations:
artifacthub.io/changes: |
- kind: added
description: Added possibility to define additional init and sidecar container.
- kind: added
description: Added ability to remove namespaces from default resourceFilters list.
- kind: added
description: Prevent installing Kyverno in namespace kube-system.
- kind: fixed
description: Docs for generatecontrollerExtraResources.
- kind: changed
description: Exclude Kyverno namespace by default
description: Enable autogen internals by default.
- kind: fixed
description: Self signed certificates not using SANs.
- kind: added
description: Extra args support for init container.
- kind: added
description: Allow overriding of test security context and resource block.
- kind: added
description: Added possibility to define custom image registries
- kind: added
description: Enable adding optional annotations to configmaps
- kind: added
description: Add startup probes support
- kind: added
description: Support extra CRD annotations
- kind: added
description: Grafana dashboard.
artifacthub.io/links: |
- name: Documentation
url: https://kyverno.io/docs
artifacthub.io/operator: "false"
artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: v1.7.5
appVersion: v1.8.5
description: Kubernetes Native Policy Management
home: https://kyverno.io/
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
@ -26,4 +50,4 @@ name: kyverno
sources:
- https://github.com/kyverno/kyverno
type: application
version: v2.5.5
version: 2.6.5

100
scripts/helmcharts/toolings/charts/kyverno/README.md
View file

@ -2,7 +2,7 @@
Kubernetes Native Policy Management
![Version: v2.5.5](https://img.shields.io/badge/Version-v2.5.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.5](https://img.shields.io/badge/AppVersion-v1.7.5-informational?style=flat-square)
![Version: 2.6.5](https://img.shields.io/badge/Version-2.6.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.8.5](https://img.shields.io/badge/AppVersion-v1.8.5-informational?style=flat-square)
## About
@ -46,6 +46,65 @@ The command deploys Kyverno on the Kubernetes cluster with default configuration
The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix `:webhook`. Ex., `*:webhook` or `kyverno:webhook`.
Other ClusterRole/ClusterRoleBinding names are configurable.
**Notes on using ArgoCD:**
When deploying this chart with ArgoCD you will need to enable `Replace` in the `syncOptions`, and you probably want to ignore diff in aggregated cluster roles.
You can do so by following instructions in these pages of ArgoCD documentation:
- [Enable Replace in the syncOptions](https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#replace-resource-instead-of-applying-changes)
- [Ignore diff in aggregated cluster roles](https://argo-cd.readthedocs.io/en/stable/user-guide/diffing/#ignoring-rbac-changes-made-by-aggregateroles)
ArgoCD uses helm only for templating but applies the results with `kubectl`.
Unfortunately `kubectl` adds metadata that will cross the limit allowed by Kuberrnetes. Using `Replace` overcomes this limitation.
Another option is to use server side apply, this will be supported in ArgoCD v2.5.
Finally, we introduced new CRDs in 1.8 to manage resource-level reports. Those reports are associated with parent resources using an `ownerReference` object.
As a consequence, ArgoCD will show those reports in the UI, but as they are managed dynamically by Kyverno it can pollute your dashboard.
You can tell ArgoCD to ignore reports globally by adding them under the `resource.exclusions` stanza in the ArgoCD ConfigMap.
```yaml
resource.exclusions: |
- apiGroups:
- kyverno.io
kinds:
- AdmissionReport
- BackgroundScanReport
- ClusterAdmissionReport
- ClusterBackgroundScanReport
clusters:
- '*'
```
Below is an example of ArgoCD Application manifest that should work with this chart.
```yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kyverno
namespace: argocd
spec:
destination:
namespace: kyverno
server: https://kubernetes.default.svc
project: default
source:
chart: kyverno
repoURL: https://kyverno.github.io/kyverno
targetRevision: 2.6.0
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- Replace=true
```
## Uninstalling the Chart
To uninstall/delete the `kyverno` deployment:
@ -68,14 +127,18 @@ The command removes all the Kubernetes components associated with the chart and
| rbac.serviceAccount.create | bool | `true` | Create a ServiceAccount |
| rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
| rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
| image.registry | string | `nil` | Image registry |
| image.repository | string | `"ghcr.io/kyverno/kyverno"` | Image repository |
| image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
| image.pullSecrets | list | `[]` | Image pull secrets |
| initImage.registry | string | `nil` | Image registry |
| initImage.repository | string | `"ghcr.io/kyverno/kyvernopre"` | Image repository |
| initImage.tag | string | `nil` | Image tag If initImage.tag is missing, defaults to image.tag |
| initImage.pullPolicy | string | `nil` | Image pull policy If initImage.pullPolicy is missing, defaults to image.pullPolicy |
| testImage.repository | string | `nil` | Image repository Defaults to `busybox` if omitted |
| initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. |
| testImage.registry | string | `nil` | Image registry |
| testImage.repository | string | `"busybox"` | Image repository |
| testImage.tag | string | `nil` | Image tag Defaults to `latest` if omitted |
| testImage.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
| replicaCount | int | `nil` | Desired number of pods |
@ -83,6 +146,7 @@ The command removes all the Kubernetes components associated with the chart and
| podAnnotations | object | `{}` | Additional annotations to add to each pod |
| podSecurityContext | object | `{}` | Security context for the pod |
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
| testSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers |
| priorityClassName | string | `""` | Optional priority class to be used for kyverno pods |
| antiAffinity.enable | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
| podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
@ -96,23 +160,31 @@ The command removes all the Kubernetes components associated with the chart and
| dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
| envVarsInit | object | `{}` | Env variables for initContainers. |
| envVars | object | `{}` | Env variables for containers. |
| extraArgs | list | `["--autogenInternals=false"]` | Extra arguments to give to the binary. |
| extraArgs | list | `["--autogenInternals=true","--loggingFormat=text"]` | Extra arguments to give to the binary. |
| extraInitContainers | list | `[]` | Array of extra init containers |
| extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
| imagePullSecrets | object | `{}` | Image pull secrets for image verify and imageData policies. This will define the `--imagePullSecrets` Kyverno argument. |
| resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
| resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
| initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
| initResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
| testResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
| testResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
| startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
| generatecontrollerExtraResources | string | `nil` | |
| generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
| config.existingConfig | string | `""` | Name of an existing config map (ignores default/provided resourceFilters) |
| config.annotations | object | `{}` | Additional annotations to add to the configmap |
| config.excludeGroupRole | string | `nil` | Exclude group role |
| config.excludeUsername | string | `nil` | Exclude username |
| config.webhooks | string | `nil` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
| config.generateSuccessEvents | bool | `false` | Generate success events. |
| config.metricsConfig | object | `{"namespaces":{"exclude":[],"include":[]}}` | Metrics config. |
| config.metricsConfig | object | `{"annotations":{},"namespaces":{"exclude":[],"include":[]}}` | Metrics config. |
| config.metricsConfig.annotations | object | `{}` | Additional annotations to add to the metricsconfigmap |
| updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
| service.port | int | `443` | Service port. |
| service.type | string | `"ClusterIP"` | Service type. |
@ -131,13 +203,17 @@ The command removes all the Kubernetes components associated with the chart and
| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
| serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
| createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert. In this case, you will need to create a certificate with a specific name and data structure. As long as you follow the naming scheme, it will be automatically picked up. kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt) kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false |
| createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert. In this case, you will need to create a certificate with a specific name and data structure. As long as you follow the naming scheme, it will be automatically picked up. kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt) kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false |
| installCRDs | bool | `true` | Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created. |
| crds.annotations | object | `{}` | Additional CRDs annotations. |
| networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
| networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| webhooksCleanup.enable | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
| webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
| tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization |
| tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
| grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
| grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
| grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. |
## TLS Configuration
@ -160,8 +236,10 @@ This chart comes with default resource filters that apply exclusions on a couple
- `SelfSubjectAccessReview`
- `Binding`
- `ReplicaSet`
- `ReportChangeRequest`
- `ClusterReportChangeRequest`
- `AdmissionReport`
- `ClusterAdmissionReport`
- `BackgroundScanReport`
- `ClusterBackgroundScanReport`
- all resources created by this chart itself
Those default exclusions are there to prevent disruptions as much as possible.
@ -194,7 +272,7 @@ Kubernetes: `>=1.16.0-0`
| Name | Email | Url |
| ---- | ------ | --- |
| Nirmata | | https://kyverno.io/ |
| Nirmata | | <https://kyverno.io/> |
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0)
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

110
scripts/helmcharts/toolings/charts/kyverno/README.md.gotmpl
View file

@ -1,110 +0,0 @@
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.description" . }}
{{ template "chart.badgesSection" . }}
## About
[Kyverno](https://kyverno.io) is a Kubernetes Native Policy Management engine.
It allows you to:
- Manage policies as Kubernetes resources (no new language required.)
- Validate, mutate, and generate resource configurations.
- Select resources based on labels and wildcards.
- View policy enforcement as events.
- Scan existing resources for violations.
This chart bootstraps a Kyverno deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Access the complete user documentation and guides at: https://kyverno.io.
## Installing the Chart
**Add the Kyverno Helm repository:**
```console
$ helm repo add kyverno https://kyverno.github.io/kyverno/
```
**Create a namespace:**
You can install Kyverno in any namespace. The examples use `kyverno` as the namespace.
```console
$ kubectl create namespace kyverno
```
**Install the Kyverno chart:**
```console
$ helm install kyverno --namespace kyverno kyverno/kyverno
```
The command deploys Kyverno on the Kubernetes cluster with default configuration. The [installation](https://kyverno.io/docs/installation/) guide lists the parameters that can be configured during installation.
The Kyverno ClusterRole/ClusterRoleBinding that manages webhook configurations must have the suffix `:webhook`. Ex., `*:webhook` or `kyverno:webhook`.
Other ClusterRole/ClusterRoleBinding names are configurable.
## Uninstalling the Chart
To uninstall/delete the `kyverno` deployment:
```console
$ helm delete -n kyverno kyverno
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
{{ template "chart.valuesSection" . }}
## TLS Configuration
If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
## Default resource filters
[Kyverno resource filters](https://kyverno.io/docs/installation/#resource-filters) are a used to exclude resources from the Kyverno engine rules processing.
This chart comes with default resource filters that apply exclusions on a couple of namespaces and resource kinds:
- all resources in `kube-system`, `kube-public` and `kube-node-lease` namespaces
- all resources in all namespaces for the following resource kinds:
- `Event`
- `Node`
- `APIService`
- `TokenReview`
- `SubjectAccessReview`
- `SelfSubjectAccessReview`
- `Binding`
- `ReplicaSet`
- `ReportChangeRequest`
- `ClusterReportChangeRequest`
- all resources created by this chart itself
Those default exclusions are there to prevent disruptions as much as possible.
Under the hood, Kyverno installs an admission controller for critical cluster resources.
A cluster can become unresponsive if Kyverno is not up and running, ultimately preventing pods to be scheduled in the cluster.
You can however override the default resource filters by setting the `config.resourceFilters` stanza.
It contains an array of string templates that are passed through the `tpl` Helm function and joined together to produce the final `resourceFilters` written in the Kyverno config map.
Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list.
## High availability
Running a highly-available Kyverno installation is crucial in a production environment.
In order to run Kyverno in high availability mode, you should set `replicaCount` to `3` or more.
You should also pay attention to anti affinity rules, spreading pods across nodes and availability zones.
Please see https://kyverno.io/docs/installation/#security-vs-operability for more informations.
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
{{ template "chart.maintainersSection" . }}
{{ template "helm-docs.versionFooter" . }}

3
scripts/helmcharts/toolings/charts/kyverno/ci/hooks-values.yaml
View file

@ -1,3 +0,0 @@
---
webhooksCleanup:
enable: true

9
scripts/helmcharts/toolings/charts/kyverno/ci/imagePullSecrets-values.yaml
View file

@ -1,9 +0,0 @@
imagePullSecrets:
regcred:
registry: foo.example.com
username: foobar
password: secret
regcred2:
registry: bar.example.com
username: barbaz
password: secret2

3
scripts/helmcharts/toolings/charts/kyverno/ci/networkpolicy-values.yaml
View file

@ -1,3 +0,0 @@
---
networkPolicy:
enabled: true

2854
scripts/helmcharts/toolings/charts/kyverno/grafana/dashboard.json Normal file
View file

File diff suppressed because it is too large Load diff

30
scripts/helmcharts/toolings/charts/kyverno/templates/_helpers.tpl
View file

@ -113,16 +113,38 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- end }}
{{- define "kyverno.testSecurityContext" -}}
{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
{{ toYaml (omit .Values.testSecurityContext "seccompProfile") }}
{{- else }}
{{ toYaml .Values.testSecurityContext }}
{{- end }}
{{- end }}
{{- define "kyverno.imagePullSecret" }}
{{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
{{- end }}
{{- define "kyverno.image" -}}
{{- if .image.registry -}}
{{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- else -}}
{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
{{- end -}}
{{- end }}
{{- define "kyverno.resourceFilters" -}}
{{- $resourceFilters := .Values.config.resourceFilters }}
{{- if .Values.excludeKyvernoNamespace }}
{{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }}
{{- end }}
{{- range $exclude := .Values.resourceFiltersExcludeNamespaces }}
{{- range $filter := $resourceFilters }}
{{- if (contains (printf ",%s," $exclude) $filter) }}
{{- $resourceFilters = without $resourceFilters $filter }}
{{- end }}
{{- end }}
{{- end }}
{{- tpl (join "" $resourceFilters) . }}
{{- end }}
@ -136,4 +158,10 @@ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
{{- end }}
{{- $newWebhook | toJson }}
{{- end }}
{{- end }}
{{- define "kyverno.crdAnnotations" -}}
{{- range $key, $value := .Values.crds.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}

36
scripts/helmcharts/toolings/charts/kyverno/templates/aggregateroles.yaml
View file

@ -32,8 +32,8 @@ rules:
- apiGroups:
- wgpolicyk8s.io
resources:
- policyreport
- clusterpolicyreport
- policyreports
- clusterpolicyreports
verbs:
- create
- delete
@ -49,13 +49,15 @@ metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
name: {{ template "kyverno.fullname" . }}:admin-reportchangerequest
name: {{ template "kyverno.fullname" . }}:admin-reports
rules:
- apiGroups:
- kyverno.io
- kyverno.io
resources:
- reportchangerequests
- clusterreportchangerequests
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete
@ -85,5 +87,25 @@ rules:
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
app: kyverno
name: {{ template "kyverno.fullname" . }}:admin-updaterequest
rules:
- apiGroups:
- kyverno.io
resources:
- updaterequests
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
{{- end }}

19
scripts/helmcharts/toolings/charts/kyverno/templates/clusterrole.yaml
View file

@ -1,6 +1,17 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
{{- include "kyverno.matchLabels" . | nindent 6 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.fullname" . }}:userinfo
labels: {{ include "kyverno.labels" . | nindent 4 }}
@ -35,10 +46,10 @@ rules:
- generaterequests/status
- updaterequests
- updaterequests/status
- reportchangerequests
- reportchangerequests/status
- clusterreportchangerequests
- clusterreportchangerequests/status
- admissionreports
- clusteradmissionreports
- backgroundscanreports
- clusterbackgroundscanreports
verbs:
- create
- delete

84
scripts/helmcharts/toolings/charts/kyverno/templates/clusterrolebinding.yaml
View file

@ -1,92 +1,16 @@
{{- if .Values.rbac.create }}
{{- if .Values.rbac.create -}}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:userinfo
name: {{ template "kyverno.fullname" . }}
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:userinfo
name: {{ template "kyverno.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:policies
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:policies
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:view
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:view
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:generate
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:generate
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:events
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:events
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.fullname" . }}:webhook
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.fullname" . }}:webhook
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.serviceAccountName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- end }}
{{- end -}}

4
scripts/helmcharts/toolings/charts/kyverno/templates/configmap.yaml
View file

@ -4,6 +4,10 @@ kind: ConfigMap
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
{{- with .Values.config.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ template "kyverno.configMapName" . }}
namespace: {{ template "kyverno.namespace" . }}
data:

13077
scripts/helmcharts/toolings/charts/kyverno/templates/crds.yaml
View file

File diff suppressed because it is too large Load diff

23
scripts/helmcharts/toolings/charts/kyverno/templates/deployment.yaml
View file

@ -65,9 +65,16 @@ spec:
dnsPolicy: {{ .Values.dnsPolicy }}
{{- end }}
initContainers:
{{- if .Values.extraInitContainers }}
{{- toYaml .Values.extraInitContainers | nindent 8 }}
{{- end }}
- name: kyverno-pre
image: {{ .Values.initImage.repository }}:{{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
image: {{ include "kyverno.image" (dict "image" .Values.initImage "defaultTag" (default .Chart.AppVersion .Values.image.tag)) | quote }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
{{- if .Values.initContainer.extraArgs }}
args:
{{ tpl (toYaml .Values.initContainer.extraArgs) . }}
{{- end }}
{{- with .Values.initResources }}
resources: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
@ -81,14 +88,21 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KYVERNO_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_DEPLOYMENT
value: {{ template "kyverno.fullname" . }}
{{- with .Values.envVarsInit }}
{{- toYaml . | nindent 10 }}
{{- end }}
containers:
{{- if .Values.extraContainers }}
{{- toYaml .Values.extraContainers | nindent 8 }}
{{- end }}
- name: kyverno
image: {{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}
image: {{ include "kyverno.image" (dict "image" .Values.image "defaultTag" .Chart.AppVersion) | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if or .Values.extraArgs .Values.imagePullSecrets }}
args:
@ -125,6 +139,8 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: KYVERNO_SERVICEACCOUNT_NAME
value: {{ template "kyverno.serviceAccountName" . }}
- name: KYVERNO_SVC
value: {{ template "kyverno.serviceName" . }}
- name: TUF_ROOT
@ -134,6 +150,9 @@ spec:
{{- end }}
- name: KYVERNO_DEPLOYMENT
value: {{ template "kyverno.fullname" . }}
{{- with .Values.startupProbe }}
startupProbe: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.livenessProbe }}
livenessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}

13
scripts/helmcharts/toolings/charts/kyverno/templates/grafana.yaml Normal file
View file

@ -0,0 +1,13 @@
{{- if .Values.grafana.enabled -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "kyverno.configMapName" . }}-grafana
namespace: {{ default (include "kyverno.namespace" .) .Values.grafana.namespace }}
annotations:
{{- toYaml .Values.grafana.annotations | nindent 4 }}
labels:
grafana_dashboard: "1"
data:
{{ (.Files.Glob "grafana/*").AsConfig | indent 2 }}
{{- end -}}

4
scripts/helmcharts/toolings/charts/kyverno/templates/metricsconfigmap.yaml
View file

@ -4,6 +4,10 @@ kind: ConfigMap
metadata:
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
{{- with .Values.config.metricsConfig.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ template "kyverno.metricsConfigMapName" . }}
namespace: {{ template "kyverno.namespace" . }}
{{- if .Values.config.metricsConfig }}

7
scripts/helmcharts/toolings/charts/kyverno/templates/secret.yaml
View file

@ -1,14 +1,17 @@
{{- if .Values.createSelfSignedCert }}
{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
{{- $cert := genSignedCert (printf "%s.%s.svc" (include "kyverno.serviceName" .) (include "kyverno.namespace" .)) nil nil 1024 $ca -}}
{{- $svcName := (printf "%s.%s.svc" (include "kyverno.serviceName" .) (include "kyverno.namespace" .)) -}}
{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
labels: {{ include "kyverno.labels" . | nindent 4 }}
app: kyverno
type: kubernetes.io/tls
data:
rootCA.crt: {{ $ca.Cert | b64enc }}
tls.key: {{ $ca.Key | b64enc }}
tls.crt: {{ $ca.Cert | b64enc }}
---
apiVersion: v1
kind: Secret

16
scripts/helmcharts/toolings/charts/kyverno/templates/tests/test.yaml
View file

@ -10,16 +10,28 @@ spec:
restartPolicy: Never
containers:
- name: wget
image: {{ .Values.testImage.repository | default "busybox" }}{{- if .Values.testImage.tag }}:{{ .Values.testImage.tag }}{{- end }}
image: {{ include "kyverno.image" (dict "image" .Values.testImage "defaultTag" "latest") | quote }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
{{- with .Values.testResources }}
resources: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if .Values.testSecurityContext }}
securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }}
{{- end }}
command:
- /bin/sh
- -c
- |
sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.serviceName" . }}:{{ .Values.service.port }}/health/liveness
- name: wget-metrics
image: {{ .Values.testImage.repository | default "busybox" }}{{- if .Values.testImage.tag }}:{{ .Values.testImage.tag }}{{- end }}
image: {{ include "kyverno.image" (dict "image" .Values.testImage "defaultTag" "latest") | quote }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
{{- with .Values.testResources }}
resources: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if .Values.testSecurityContext }}
securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }}
{{- end }}
command:
- /bin/sh
- -c

4
scripts/helmcharts/toolings/charts/kyverno/templates/validate.yaml
View file

@ -7,3 +7,7 @@
{{ fail "Kyverno does not support running with 2 replicas. For a highly-available deployment, select 3 replicas or for standalone select 1 replica." }}
{{- end }}
{{- end }}
{{- if eq (include "kyverno.namespace" .) "kube-system" }}
{{ fail "Kyverno cannot be installed in namespace kube-system." }}
{{- end }}

119
scripts/helmcharts/toolings/charts/kyverno/values.yaml
View file

@ -23,8 +23,13 @@ rbac:
# example.com/annotation: value
image:
# -- Image registry
registry:
# If you want to manage the registry you should remove it from the repository
# registry: ghcr.io
# repository: kyverno/kyverno
# -- Image repository
repository: ghcr.io/kyverno/kyverno
repository: ghcr.io/kyverno/kyverno # kyverno: replaced in e2e tests
# -- Image tag
# Defaults to appVersion in Chart.yaml if omitted
tag: # replaced in e2e tests
@ -35,8 +40,13 @@ image:
# - secretName
initImage:
# -- Image registry
registry:
# If you want to manage the registry you should remove it from the repository
# registry: ghcr.io
# repository: kyverno/kyvernopre
# -- Image repository
repository: ghcr.io/kyverno/kyvernopre
repository: ghcr.io/kyverno/kyvernopre # init: replaced in e2e tests
# -- Image tag
# If initImage.tag is missing, defaults to image.tag
tag: # replaced in e2e tests
@ -44,10 +54,17 @@ initImage:
# If initImage.pullPolicy is missing, defaults to image.pullPolicy
pullPolicy:
initContainer:
# -- Extra arguments to give to the kyvernopre binary.
extraArgs:
- --loggingFormat=text
testImage:
# -- Image registry
registry:
# -- Image repository
# Defaults to `busybox` if omitted
repository:
repository: busybox
# -- Image tag
# Defaults to `latest` if omitted
tag:
@ -81,6 +98,20 @@ securityContext:
seccompProfile:
type: RuntimeDefault
# -- Security context for the test containers
testSecurityContext:
runAsUser: 65534
runAsGroup: 65534
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- Optional priority class to be used for kyverno pods
priorityClassName: ''
@ -141,7 +172,22 @@ envVars: {}
# -- Extra arguments to give to the binary.
extraArgs:
- --autogenInternals=false
- --autogenInternals=true
- --loggingFormat=text
# -- Array of extra init containers
extraInitContainers: []
# Example:
# - name: init-container
# image: busybox
# command: ['sh', '-c', 'echo Hello']
# -- Array of extra containers to run alongside kyverno
extraContainers: []
# Example:
# - name: myapp-container
# image: busybox
# command: ['sh', '-c', 'echo Hello && sleep 3600']
# -- Image pull secrets for image verify and imageData policies.
# This will define the `--imagePullSecrets` Kyverno argument.
@ -176,6 +222,29 @@ initResources:
cpu: 10m
memory: 64Mi
testResources:
# -- Pod resource limits
limits:
cpu: 100m
memory: 256Mi
# -- Pod resource requests
requests:
cpu: 10m
memory: 64Mi
# -- Startup probe.
# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
# @default -- See [values.yaml](values.yaml)
startupProbe:
httpGet:
path: /health/liveness
port: 9443
scheme: HTTPS
failureThreshold: 20
initialDelaySeconds: 2
periodSeconds: 6
# -- Liveness probe.
# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
@ -206,9 +275,8 @@ readinessProbe:
failureThreshold: 6
successThreshold: 1
# TODO(mbarrien): Should we just list all resources for the
# generatecontroller in here rather than having defaults hard-coded?
generatecontrollerExtraResources:
# -- Additional resources to be added to controller RBAC permissions.
generatecontrollerExtraResources: []
# - ResourceA
# - ResourceB
@ -216,6 +284,10 @@ generatecontrollerExtraResources:
# Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
excludeKyvernoNamespace: true
# -- resourceFilter namespace exclude
# Namespaces to exclude from the default resourceFilters
resourceFiltersExcludeNamespaces: []
config:
# -- Resource types to be skipped by the Kyverno policy engine.
# Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
@ -233,8 +305,10 @@ config:
- '[SelfSubjectAccessReview,*,*]'
- '[Binding,*,*]'
- '[ReplicaSet,*,*]'
- '[ReportChangeRequest,*,*]'
- '[ClusterReportChangeRequest,*,*]'
- '[AdmissionReport,*,*]'
- '[ClusterAdmissionReport,*,*]'
- '[BackgroundScanReport,*,*]'
- '[ClusterBackgroundScanReport,*,*]'
# exclude resources from the chart
- '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]'
- '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]'
@ -255,6 +329,9 @@ config:
# -- Name of an existing config map (ignores default/provided resourceFilters)
existingConfig: ''
# -- Additional annotations to add to the configmap
annotations: {}
# example.com/annotation: foo
# -- Exclude group role
excludeGroupRole:
# - ''
@ -284,6 +361,9 @@ config:
generateSuccessEvents: false
# -- Metrics config.
metricsConfig:
# -- Additional annotations to add to the metricsconfigmap
annotations: {}
# example.com/annotation: foo
namespaces: {
"include": [],
"exclude": []
@ -356,7 +436,7 @@ serviceMonitor:
# 2) Provide your own CA and cert.
# In this case, you will need to create a certificate with a specific name and data structure.
# As long as you follow the naming scheme, it will be automatically picked up.
# kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entry named rootCA.crt)
# kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt)
# kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt)
# 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
# If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
@ -366,6 +446,12 @@ createSelfSignedCert: false
# If the CRDs are not installed by Helm, they must be added before policies can be created.
installCRDs: true
crds:
# -- Additional CRDs annotations.
annotations: {}
# argocd.argoproj.io/sync-options: Replace=true
# strategy.spinnaker.io/replace: 'true'
networkPolicy:
# -- When true, use a NetworkPolicy to allow ingress to the webhook
# This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
@ -379,5 +465,14 @@ webhooksCleanup:
# -- `kubectl` image to run commands for deleting webhooks.
image: bitnami/kubectl:latest
# -- A writable volume to use for the TUF root initialization
# -- A writable volume to use for the TUF root initialization.
tufRootMountPath: /.sigstore
grafana:
# -- Enable grafana dashboard creation.
enabled: false
# -- Namespace to create the grafana dashboard configmap.
# If not set, it will be created in the same namespace where the chart is deployed.
namespace:
# -- Grafana dashboard configmap annotations.
annotations: {}

4
scripts/helmcharts/toolings/templates/kyverno.yaml
View file

@ -2,6 +2,10 @@ apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: cosign
namespace: "{{ .Release.Namespace }}"
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-weight": "4" # Higher precidence, so the first the config map will get created.
spec:
validationFailureAction: enforce
background: false

3
scripts/helmcharts/toolings/values.yaml Normal file
View file

@ -0,0 +1,3 @@
kyverno:
fullnameOverride: kyverno
excludeKyvernoNamespace: false